WTF is digital identity?

The holy grail of digital identity is that people only provide the minimum data necessary for their purpose

Legally accepted IDs and passports show that we are who we say we are in the physical world, but don’t do the same in the digital world

Tanaya Macheel | May 15, 2017

Moving shopping and banking online means our transactions are more than making money: They’re about getting data.

“People are extremely aware of how digitized their lives have become and how little control over that. They want to know that if they’re providing this info they’re getting something for it and it’s not just for banks or large technology companies to use for their own purposes,” said Steven Ehrlich, lead analyst for emerging technologies at Spitzberg Partners.

That data says a lot about us — a lot more than a piece of plastic with a photo and address on it. There lies the digital identity dilemma: legally accepted drivers licenses and passports supposedly show that we are who we say we are in the physical world, but don’t do the same in the digital world. As the digital world evolves, that could get complicated. But right now banks, technology firms and governments are all looking at how to make it easier for people to prove they are who say they are, effectively allowing customers to own their own identity. In this WTF, we dive deep into digital identity.

So, what’s a digital identity?
A guy walks into a bar and shows the bartender his ID. In doing so, he gives the bartender more information than he needs: his name, date of birth, address, height, weight, eye color, whether or not he’s an organ donor. But all the bartender needs to verify is this guy’s date of birth, because all he needs to know is if he’s of the age to be in a bar.

People do this online everyday: when they want to login somewhere or make a transaction they often give away more data than they may realize they want to, and to a company that doesn’t need all of that information.

“How the consumer behaves when online, what they share about themselves, where they’re located, how they interact with their device — all of those components are really what creates digital identity,” said Kim Sutherland, senior director of fraud and identity management strategy at LexisNexis Risk Solutions. “There are use cases where your digital identity never has been connected to the physical world and there are other times when your digital ID and physical ID do need to intersect.”

What’s the problem?
Everyone owns your identity, except you. According to the government, you are what your drivers license or identification card says you are. Amazon, Facebook and Google identify you by the places you check into and map, what you purchase and where you have it delivered. But the airline operating your flight home won’t believe you’re you if you give them the email tied to all that data. And Amazon doesn’t ask for your drivers license when you want to buy something, you enter a password.

Where do banks come into this?
Banks are well positioned to provide identity verification services because of the amount of data they hold and the level of trust consumers and corporations have in them as authoritative institutions. Even when confidence is low.

“Banks really think about their role as custodians of personal data and the identities of their customers,” said Ehrlich. “They recognize it’s becoming more important to have access to this information so they can optimize services but do it in a way that is transparent, secure and equitable so people continue to use the services and provide them with even more data.”

Now banks need to look at what data is necessary for them to conduct their operations and how they can best use the information to optimize their services in a way that makes their clients feel they really are equal partners.

What’s the solution?
The holy grail of digital identity is that people only provide the minimum data necessary for their purpose. There isn’t a credible plan to make it happen across the world and across industries. But everyone involved is working on it.

“In order to get to that situation we need to find a way for people to be in charge of their own information so they don’t necessarily have to trust a bank or Google or Facebook,” Ehrlich said.

Biometric authentication efforts are the most visible examples.

IBM is working with security company SecureKey and several major Canadian banks on an app that would push notifications to people when utility providers need access to their information. For example, when signing up for a new phone line, the customer would receive a notification saying the wireless provider needs to verify his or her name, address, date of birth and social security number, and that it will access that information through the customer’s bank. The customer approves, by biometrical authenticating on the phone, and the bank transfers that data to allow the customer to open the account.

“People will feel much more secure if they know they can control their information and permission it out only if they want to,” Ehrlich said.

He added that there’s a design element to the solutions as well. Organizations working on solutions worry that everyday people won’t have the tech savvy to work with encryption, but that can be solved by creating a user interface customers want to try and use.

How long will this take?
As they say in the Valley, it will change the world in our lifetime. Future generations will be taking this for granted.